Terraform Notaction Notresource Policy Locals
Description
Detects Terraform IAM policies defined in locals blocks that contain negative policy statements (using NotAction or NotResource). Using negative statements in IAM policies can lead to unintentionally broad permissions since they allow all actions/resources EXCEPT those explicitly denied.
Detection Strategy
• Identifies Terraform code blocks that use the 'locals' keyword
• Examines IAM policy definitions within these locals blocks
• Reports a vulnerability when a policy contains NotAction or NotResource statements
• Alerts on negative policy statements since they create overly permissive access by default
Vulnerable code example
locals {
policy_document = jsonencode({ # Vulnerable: Using NotAction with Allow creates security risk
Version = "2012-10-17"
Statement = [
{
Effect = "Allow" # Combined with NotAction, allows all actions except specified ones
NotAction = ["*"]
Principal = "*"...✅ Secure code example
locals {
policy_document = jsonencode({ # Secure: Explicitly list allowed actions and resources
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [ # Explicitly list required actions instead of NotAction
"s3:GetObject",...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.